Follow the money: can we track down the WannaCry perpetrators?

By Joshua Goddard, 7Safe Cyber Incident Specialist |
18 May 2017

The recent well-reported ransomware attack on organisations globally has raised some serious questions about anonymity online and the ease in which cyber criminals can cover their tracks and hide, making it a far safer alternative to traditional crime. In the absence of a ‘patient 0’ in the attack (the first system to be infected), can we find the perpetrators by the address we were told to send money to?

The answer is maybe. The malware tells its victims to send $300 worth of Bitcoin to an address displayed on the screen. This address is what is known as a ‘Bitcoin Wallet’, and it is by its very nature very difficult to link to an individual.

How does Bitcoin work?

Bitcoin is the most famous crypto-currency in operation today. There are very good articles that clearly explain the technology and ideology of Bitcoin and crypto-currencies in general. Put simply; Bitcoin operates on a distributed public ledger system, whereby transactions are published in the public domain through the ‘Blockchain’ and verified by computational power. Unlike traditional centralised monetary systems, the Blockchain is completely transparent and shared between users. This means that you can view all transactions and see the amount of money in any Bitcoin wallet by searching for its address.

How can we follow the money?

Blockchain.info is a website which lets you query this public Blockchain. Let’s look at one of the Bitcoin wallet addresses displayed in an instance of WannaCry.​

So the wallet contains 14.46487704 bitcoins -- that's about £19,804 at the same time of writing. None of the money sent to the wallet has been withdrawn yet.

The biggest transaction into this wallet was 1.999 bitcoins (£2,726) on 13th May 2017, around the time the attack is suspected to have taken its biggest hold. Let’s assume that this individual or organisation didn’t have an incident response plan or recent backup. We can only wonder whether or not they were actually able to decrypt their files.

The average transaction is 0.168196245 bitcoins – or $296.34. That’s close to the $300 demand.

The malware is reported to have three different Bitcoin wallet addresses hardcoded into it. Gizmodo estimates that the perpetrators have only raised about $26,000 from the attack so far.

Can we link this address to an individual?

Probably not. The Bitcoin information website 99bitcons.com posted an article on how you can link a bitcoin address to an individual.

We could search for this address to find any forum posts or social profiles with it listed - but the attacker is likely cleverer than that.

We could ask Bitcoin exchange sites to check their data. Exchange sites are how you trade virtual currency for real currency. Most of these services require photographic identification before you make your first trade, to comply with money laundering laws where they are based. There are ways around this on the dark web – think wads of cash in an envelope sent to your door.

We could look through the data held by online shops who accept Bitcoin. This old-money laundering technique works just as well, if not better, with cryptocurrency.

We could look through the data held by thin client or hosted wallet providers. These are essentially offline wallets that use your IP address to link it back to you.

We could query ISP information to try and find the attacker if they weren’t clever enough to hide their internet traffic with a VPN. It’s unlikely the perpetrator forgot this minor detail - but everybody slips up at some point, right?

Beyond technical means to track someone down, we need to consider the ‘softer’ methods. Hackers generally boast about their attacks. If it’s an individual or group behind this worldwide assault on data, they might just want to get the kudos for it. Bragging about crimes has caught criminals out for centuries.

Bitcoin has been a hot-topic in intelligence circles for years, and it’s likely that all creditable intelligence agencies monitor the Blockchain. One private company based in the UK specialises in advising nation states and law enforcement in ‘Bitcoin intelligence’. Check out Elliptic to learn about how they use advanced analytics and Blockchain monitoring to provide ‘actionable intelligence’ for their clients.

So how likely is it that we will find the perpetrators?

I have absolutely no idea. The money will likely sit in the wallet for a long time then be broken up into hundreds if not thousands or millions of small transactions until it is lost in the Blockchain. It might even end up being someone’s unlimited supply of coffee.

How can 7Safe help?

In this investigation, we can’t do a lot more than the Bitcoin intelligence services. We are, however, experts in open source intelligence gathering following a cyber incident. If you’d really like to know why you were attacked, have a chat with us, and we’ll probably be able to tell you some pretty interesting stuff. We’ll even provide you with an unlimited supply of coffee*.

*For the duration of our meeting served from a large urn up to a maximum of 4 people.

"Beyond technical means to track someone down, we need to consider the ‘softer’ methods. Hackers generally boast about their attacks. If it’s an individual or group behind this worldwide assault on data, they might just want to get the kudos for it. Bragging about crimes has caught criminals out for centuries."